[SURBL-Discuss] The (bad) situation with Yahoo / Geocities.

Eric Montréal erv at mailpeers.net
Wed Dec 21 22:32:18 CET 2005


Hi,

It seems like people who were not too optimistic when the number of 
active spamming sites on Geocities dropped from more than 300 to 14 on 
Friday were unfortunately right.

Yahoo / Geocities did not make anything to prevent spammers from 
(ab)using their service and only used the list once to remove their (old 
and unused) spam related sites, but did nothing to prevent spammers from 
building new spammy sites all over again. Today, Geocities still makes 
the bulk of spammy sites on the list (total 368) and in the last 2 days, 
they only closed down 6 of them, that's below 2% !

One thing we learned last friday is that Yahoo / Geocities are not only 
fully aware of the situation, but they are monitoring this list.

Here is the current active list:
http://nospam.mailpeers.net/alive_spammy.txt

I thought maybe it's difficult to detect those sites, maybe spammers are 
very crafty and make it hard to separate their redirection pages from 
other non spammy pages, so I started analyzing the pages content and 
here is what I found:

- More than 95% of Geocities spammy sites are redirections (the balance 
being 'click here' manual redirections).
- there is a surprisingly low number of variation in those redirection 
scripts
- The more spammy tries to obfuscate his scripts, the more the signs are 
evident and easy to detect.
- only 11 rules have detected *all* redirection scripts to this date.
- Non redirection sites are simply detected by the URIs they contain 
(blacklist now, I hope to add SURBL support soon).
- hometown.aol.com *DOES NOT USE ANTIVIRUS !* on their user data. As a 
result, they end up being a malware hosting heaven ! (even if they 
remove some of them when they get complaints) 
http://nospam.mailpeers.net/alive_spammy_malware.txt
- hometown.aol.com non malware sites are *all* using the same randomized 
redirection script
- tripod.com seems to be handling the problem perfectly (unless my 
sampling is severely biased, send me more) and in the rare cases where a 
spammer tries to use them, the spammy site is usually shutdown before I 
list it. Fight the spammies, and they'll move away. Why are the others 
not doing the same ?

You'll find the complete analysis results for all alive spammy sites on 
this page (updated regularly):
http://nospam.mailpeers.net/alive_spammy2.txt

I also added http://nospam.mailpeers.net/fresh_alive_spammy.txt that 
lists the most recent entries (first one is the most recent). These 
sites are actively used in current spam runs (The ones you *really* want 
down !)

In cases where spammy does not encrypt his redirector, extracting the 
real target URL behind the redirector is a piece of cake.
They end up here, along with blacklisted ones, in 
http://nospam.mailpeers.net/spammy_targets.txt  (with country code)
Some of them (but not all) are already listed in SURBL.

BTW, is there a script (bash, perl, whatever) that simply decodes URIs 
and query SURBL ?

I won't distribute the rules, since their effectiveness would be 
immediately impaired, but if the Yahoo guy or the AOL guy want them, I'd 
be glad to share... however, at least for Yahoo/Geocities, I have no 
illusions.

The very low number of variation makes me wonder. Is it because all 
spammers use the same spamware to generate their redirection pages, or 
are only a selected few of them 'allowed' to (ab)use Geocities for their 
redirection needs ?

------------

So, what's next ?

hometown.aol.com is actually shutting down some sites, but it's too few, 
too late. They need to be more proactive. the worst problem with their 
service being the presence of malware. A list member sent me a reporting 
address for hometown.aol.com abuses, I'll  see if it works, and if so, 
it will become automatic.

Yahoo/Geocities is a different beast. After months of well known abuse 
and minimal action, I think they deserve being treated as a spam 
ressource provider.

Just like other spam ressource providers, they can get away with it just 
as long as their regular customers are not aware of their activities.

Their parent company being Yahoo, it's completely useless to complain to 
their upstream ;-) but they have to protect Yahoo's corporate image. If 
yahoo sees a serious risk that their name will be associated with spam 
support / illegal activities, a *real* change will occur.

I think I've done my homework collecting enough proof of 
Yahoo/Geocities's refusal to stop the spam support activities taking 
place on their network and that it could be used as a starting point in 
gathering enough evidence (+insiders info?) to issue a well researched 
press release.

Obviously, since (as you might have noticed !) English is not my main 
language and I'm not familiar with the press, this is a call for 
volunteers for the additional data collection and redaction work.

Regards,

Eric

------------

PS-1: If you operate Spamassassin 3.xx, you can share all the Geocities 
/ AOL / tripod URIs in the messages going through your server in near 
real time. All it takes is a 4 lines patch in URIDNSBL.pm and a simple 
cron job.
PS-2:I'd like to have independent third party daily backups of the whole 
nospam.mailpeers.net subdomain. It's small, and a simple wget -r -w3 
would do. If you want to do it, email me so that I'm aware of it.




More information about the Discuss mailing list